Remote Device Identification based on Bluetooth Fingerprinting Techniques

White Paper (Version 0.3)

Martin Herfurt and Collin Mulliner

{martin,collin }@trifinite.org

December 20, 2004

Abstract

We introduce a method to efficiently determine a Bluetooth device’s properties as neededfor a variety of purposes. Blueprinting aims to set a standard for Bluetooth fingerprint-ing devices. The idea is similar to IP fingerprinting techniques as used in tools like nmapwhere it is possible to determine a hosts operating system by specific behavior of the IPstack. With Blueprinting it is possible to determine the manufacturer, the device modeland the firmware version of the respective device. The complexity of the introducedmethod is intentionally simple so that this procedure can be executed on constraineddevices that are not capable of calculating common hashes such as MD5: the J2ME Con-nected Limited Device Configuration (CLDC) Version 1.0 (as used in many mobile hand-sets) can perform it.

This text is licensed under the Creative Commons Attribution-ShareAlike 2.0 License. This license permits you to copy,distribute, display, and perform the work, to make derivative works and to make commercial use of the work. These rights aregranted as long as you give the original author credit and as long as you distribute resulting work under a license identical tothis one. For more detailed information on this specific license, please check http://creativecommons.org trifinite.group

1 Introduction

During the last years, Bluetooth has become a well-recognized wire replacement standardfor all different kinds of devices. Mainly in the consumer electronics and the automotive in-dustry, the Bluetooth standard has gained acceptance and is deployed in a growing numberof products. Currently, the actual number of Bluetooth radios in use is four times higherthan the number of Wi-Fi radios deployed.

Herein, we introduce a method to efficiently determine a Bluetooth device’s properties asneeded for a variety of purposes. Blueprinting aims to set a standard for Bluetooth finger-printing devices. The idea is similar to IP fingerprinting techniques as used in tools likenmap where it is possible to determine a hosts operating system by specific behavior of theIP stack. With Blueprinting it is possible to determine the manufacturer, the device modeland the firmware version of the respective device. The complexity of the introduced methodis intentionally simple so that this procedure can be executed on constrained devices that arenot capable of calculating common hashes such as MD5: the J2ME Connected Limited De-vice Configuration (CLDC) Version 1.0 (as used in many mobile handsets) can perform it.

There are many different reasons that justify a method that allows the identification ofBluetooth-enabled devices by the characteristics of their radio interface.

1.1 Device Statistics

One of the purposes that Blueprinting could be used for is statistical examination of differ-ent environments. This way, it is possible to create statistics over manufacturer and devicemodels in special places as it was done in the CeBIT field trial report [1]. There are morescenarios where the determination of Bluetooth device properties is making sense.

1.2 Automated Application Distribution

There are many different mobile handsets that all have different operating system platformsrunning. One of the most popular platforms is Symbian [2] but there is a number of otherplatforms. Mobile device manufacturers are developing applications for many different pur-poses. In order to deliver the application for the right platform, the application distributorneeds to know about the requesting device model, so that the application that is pushedto the device might be a version that supports e.g. the bigger display of a certain device.Unfortunately, there are also malicious applications like the proof-of-concept virus Cabir [3]that could profit from an identification method like Blueprinting.

1.3 Security Audits

Early implementations of the Bluetooth standard in devices of various device manufactur-ers are subject to more or less severe security issues. Attacks like the BlueSnarf attack [4],the BlueBug attack [5] or the BlueSmack attack [6], which enable the extraction of sensitiveinformation, the abuse of telecommunications services or the denial of service are subjectto the firmware and the model of some phones. In order to communicate eventual securityissues to the respective manufacturers it is important to know about the properties of the

2

concerned device. Blueprinting contributes to the efforts done in order to make Bluetoothdevices more secure.

2 Device Information

Blueprinting encapsulates the necessary information in order to determine device specificproperties such as the manufacturer, the model information and the firmware version. Sincemobile phones and PDAs make up the biggest group of Bluetooth enabled devices, Blue-printing mainly focuses on these devices. The method relies on device specific informationthat has been collected in experiments such as the CeBIT experiment [1], and, therefore, isnot as detailed as it could be.

Every Bluetooth enabled device has some characteristics that are either unique (Bluetoothdevice address), manufacturer specific (the first part of the Bluetooth device address) ormodel-specific (service description records). Blueprinting is combining the different infor-mation that Bluetooth-enabled devices reveal in order to identify the manufacturer as wellas the model of the device. The firmware version that runs on certain devices can be derivedbased upon a devices different characteristics.

2.1 Bluetooth Device Address

As mentioned above the Bluetooth device address (BD ADDR) is unique and globally refersto one single device. This BD ADDR address consists out of 48 bits (6 bytes) that are usuallynotated like MAC addresses (e.g. MM:MM:MM:XX:XX:XX). The address is programmedinto the Bluetooth radio. The first three bytes of this address (the bytes that are denotedby M’s above) refer to the manufacturer of the chipset. An actual list of all these codesthat refer to different manufacturers can be found in the OUI database hosted by IEEE [7].Unfortunately, it is not possible to tell anything about the device model by interpretationof the remaining three bytes. These bytes (denoted by X’s above) are used randomly indifferent models. Therefore, for identifying a manufacturer’s model, Blueprinting takes theSDP [8] profiles, which can be queried from devices that offer services, into account.

2.2 SDP Profiles

Service Description Protocol (SDP) [8] profiles are a concept that is used by Bluetooth in or-der to identify a certain service to other devices. This is done for autoconfiguration purposesand to help a user setup a connection to the specific device. SDP Profiles are served by thedevice’s sdp server and provide information on how to access the offered profiles. EverySDP profile entry has some properties that can be used to identify the device.Figure 1 shows a Obex Push profile as it is retrieved by the BlueZ [9] utility called sdptool .

3 Blueprinting

Blueprinting uses specific information from SDP profiles of a device to create a hash for therespective device. According to the standard[8], there is always a field that holds the Service

3

Service Name: OBEX Object Push

Service RecHandle: 0x1000c

Service Class ID List:

"OBEX Object Push" (0x1105)

Protocol Descriptor List:

"L2CAP" (0x0100)

"RFCOMM" (0x0003)

Channel: 9

"OBEX" (0x0008)

Language Base Attr List:

code ISO639: 0x656e

encoding: 0x6a

base offset: 0x100

Profile Descriptor List:

"OBEX Object Push" (0x1105)

Version: 0x0100

Figure 1: OPUSH Profile from a Nokia 6310i

Record Handle, which is a 32 bit number that is assigned by the SDP server when a serviceis registered during startup of the device (e.g. 0x1000c in figure 1). In the case of mobilephones, the RecordHandles for the profile entries at the SDP server are not dynamically as-signed but statically coded in the phone’s firmware. The other value that is taken into thehash is the RFCOMM channel or the L2CAP psm number that the service can be accessedunder. In the above profile, this would be RFCOMM channel 9.

One part of a device’s Blueprinting hash is the sum of the RecHandle times the Channelfor all running services. The following example shows this by the example of a Nokia 6310iSDP profile export:

RecHandle Channel Product0x1000b 2 1310940x1000c 9 5899320x1000d 1 655490x1000e 15 9832500x1000f 3 1966530x10010 13 8521760x10011 12 786636

3605290

3.1 Blueprinting Software

The Blueprint [10] software is a proof-of-concept implementation of the herein describedBluetooth fingerprinting technique. For simplicity, it was implemented in Perl and readsthe output of sdptool [9]. Blueprint uses a simple text based database which containsfingerprints and information about the associated device. The implementation also com-bines the actual fingerprint with the manufacturer part of the BD ADDR to achieve a highermatching rate.

4

00:60:57@2621543

Figure 2: Example of a Blueprint fingerprint

00:60:57@2621543

device: Nokia 6310i

version: V 5.22 15-11-02 NPL-1

date: n/a

type: mobile phone

note: vulnerable to BlueBug attack

Figure 3: Example of a Blueprint database entry

4 Related Work

4.1 Bluetooth Security Device Database

The Bluetooth Device Security Database [11] was created after various security related bugswhere found on embedded Bluetooth devices. The btdsd projects goal is to collect infor-mation on (default) security settings of Bluetooth enabled devices. The collection showsthat nearly all manufacturers have different default security settings and security featuresimplemented. The database was used in the evaluation of the Blueprinting technique.

5 Future Work

The work described here is the basis for ongoing work in this area. The trifinite.group isinviting everyone to contribute in all future efforts. Continued progress relies on developinga more comprehensive set of SDP profiles, which can be sent via email. For information onhow to contribute, check the Bluetooth Device Security Database page [11].

5.1 Non-SDP Fingerprinting

Blueprinting, so far, only uses the Service Discovery Protocol (SDP) [8] information for iden-tifying devices. In the future, data from higher and lower level protocols should be used foridentification as well. Examples could be: LinkManager (LM) commands (when connectingto a specific service) or Obex [12] behavior.

6 Conclusions

Blueprinting is a novel method for the identification of Bluetooth-enabled devices by meansof their radio interface and the Bluetooth stack of the operating system. The informationgathered so far about the SDP profiles demonstrates a decreasing diversity in mobile phoneoperating systems; the prevalent usage of e.g. Symbian [2]. The increasing uniformity isevident from similar Blueprinting hashes even when the hardware and the manufacturer ofthe products differ. In the future, current trends dictate the variety of Blueprinting hashes

5

will most likely decrease. The fact that many phones have the same operating system couldresult in serious trouble once a security flaw is discovered for a common operating system.

Blueprint Device Hashes

This section lists the hashes that have been collected so far. Some of the devices have mul-tiple entries. The explanation for this is that these devices have different firmware versionsthat result in a different Blueprinting hash.

BlueprintingHash

Manufacturer Model Firmware

00:0A:95@1114112 Apple Wireless Key-board

unknown

00:01:EC@2359452 Ericsson T39m unknown00:30:6E@269099048 HP bt130 unknown08:00:28@3342638 HP iPAQ h6315 initial firmware08:00:17@2949325 HP iPAQ 5500 PocketPC (4.20.1081)00:0C:55@983040 Microsoft Windows XP SP2C6:F7:4A@655407 Motorola A1000 unknown00:0A:28@1769675 Motorola V600 unknown00:60:57@1704044 Nokia 3650 unknown00:60:57@1704020 Nokia 3650 unknown00:60:57@1704022 Nokia 3650 unknown00:60:57@1704023 Nokia 3650 unknown00:60:57@3605290 Nokia 6310i unknown00:60:57@3607710 Nokia 6310i unknown00:60:57@3604685 Nokia 6310/6310i unknown00:60:57@2621543 Nokia 6310/6310i unknown00:0E:ED@4391166 Nokia 6320 unknown00:60:57@1704035 Nokia 6600 unknown00:60:57@1704034 Nokia 6600 unknown00:02:EE@4391166 Nokia 6820 unknown00:60:57@4128974 Nokia 7600 unknown00:60:57@1507391 Nokia 7650 unknown00:02:EE@1507908 Nokia 7650 V 3.16 / 15-08-02 /

NHL-2NA00:02:EE@5112150 Nokia 7820 unknown00:60:57@1704022 Nokia N-Gage unknown00:60:57@1704023 Nokia N-Gage unknown00:60:57@1507402 Nokia N-Gage V 3.30 28-08-

2003 NEM-408:00:46@196613 Sony Clie PEG TH55 unknown00:0A:D9@4063698 Sony Ericsson T610 R1L01300:0E:07@4063698 Sony Ericsson T630 unknown00:0A:D9@917518 Sony Ericsson P800 CXC12529 R2C

6

00:0A:D9@1179718 Sony Ericsson P900 unknown00:0A:D9@1180018 Sony Ericsson P900 unknown00:0A:D9@1179678 Sony Ericsson P900 unknown00:0A:D9@4063698 Sony Ericsson Z600 unknown00:01:E3@1188286 Siemens S55 unknown00:01:E3@1537756 Siemens S55 PDate: 2003-03-31 SW-

Version: 12 SW-Date:2003-03-28 Variant:A 159 Std-MAp/SW:76/14

00:01:E3@1957354 Siemens S65 unknown01:90:71@1957354 Siemens SK65 unknown00:01:E3@1704023 Siemens SX1 Product: SX1 P-Date:

2003-12-14 SVN:05 Appl SW Date:21112003 Appl SW:12:2 05Date: 2003-11-21 Modem Variant:B 101 Std-Map/SW:1/5 D-Map/Prov.:1/6 Variant Name:SX1 TMOD-uk-de-nl 05 0003 Lang T9:uk-de-nl/uk-de-nlRolf Variant Name:SX1 TMOD-uk-de-nl 05 0003 Rolf langT9: uk-de-nl/uk-de-nlCodecs: FR/EFR/HRAudio-Par.: NfV 16Acc.: None

00:E0:00@983040 Siemens Fujitsu LOOX 600 Operating SystemVersion: 3.0 (Pock-etPC but version isunknown)

7

References

[1] Martin Herfurt. Bluesnarfing @ CeBIT 2004 – Detecting and Attacking bluetooth-enabled Cellphones at the Hannover Fairground. Technical report, trifinite.org,http://trifinite.org/trifinite downloads.html, March 2004.

[2] Symbian Ltd. Symbian OS. http://www.symbian.com.

[3] Networks Associates Technology, Inc. Symbian Cabir.http://vil.nai.com/vil/content/v 126245.htm, June 2004.

[4] Ben Laurie Adam Laurie. Serioius flaws in bluetooth security lead to disclosure ofpersonal data. Technical report, A.L. Digital Ltd., http://bluestumbler.org/, January2004.

[5] Martin Herfurt. BlueBug. Technical report, trifinite.org,http://trifinite.org/trifinite stuff bluebug.html, April 2004.

[6] Martin Herfurt. BlueSmack. Technical report, trifinite.org,http://trifinite.org/trifinite stuff bluesmack.html, December 2004.

[7] IEEE OUI and Company id Assignments. http://standards.ieee.org/regauth/oui/oui.txt,2004.

[8] Bluetooth SIG Inc. Bluetooth-The Official Bluetooth Membership Site.https://www.bluetooth.org.

[9] BlueZ Project. BlueZ – Official Linux Bluetooth protocol stack. http://www.bluez.org.

[10] Martin Herfurt Collin R. Mulliner. Blueprint - proof-of-concept implementation forBluetooth fingerprinting. http://www.trifinite.org, December 2004.

[11] Collin R. Mulliner. bluetooth device security database.http://www.betaversion.net/btdsd/, November 2003.

[12] Wikipedia - The Free Encyclopedia. IrOBEX. http://en.wikipedia.org/wiki/OBEX.

8